10 2017 | SECURITY

 11 Account takeover and identity theft are just the most well known of the many facets of fraud. © Shutterstock

Fighting Online Fraud

Paysafe Group’s EVP Daniel Kornitzer has pioneered industry-leading risk management processes. For PIN magazine he sums up his thoughts on fraud after 20-plus years in technology management.

We live in fascinating times. As a techno­logist at heart, I’m thrilled by the ­advanc­es in big data, real-time stream­ing, correlation, virtual cubes and the like, and by the incredible promise of supercomputers and quantum computing. These technologies are ­creating value for individuals and communities around the world. For example, when quantum computing ­becomes commercially available, in the next five to 10 years, it will bring tremendous opportunities for ­science and medicine.

But every rose has its thorn. As quantum computing will also make it easy for criminals to break public key cryptography, which is at the base of today’s online and mobile commerce. The problem is that the same advances available to companies and authorities are also available to organizations with unsavoury goals. Risk in digital payments is no longer only the work of isolated, malicious hackers in their basement, seeking to impress their friends, but of criminal organizations with access to a wealth of technical resources, such as organized crime, cause-motivated hacktivists and ­rogue nations.

These criminals can often correlate data from different breaches to either use or sell on the dark web. ­Stolen sensitive personal information that can lead to all sorts of fraud, identity theft, account takeovers, and more. Compounding the problem is the ubiquity of ­digital payments. E-Commerce is approaching $ 2 ­trillion ­globally, and the explosion of mobile, with currently five billion connected devices, which are predicted to reach anywhere between 25 and 50 billion by 2020. Powered by the growth of the Internet of Things that will allow our fridges to order milk and our dishwashers to order soap when they’re about to run out, obeying “­intelligent contracts,” which are a sort of standing ­orders establishing the triggers and boundaries of ­these automated transactions.

»The conundrum of risk management boils down to two seemingly conflicting goals: consumer ­convenience and protection against fraud.«

- Daniel Kornitzer,
Executive Vice President and
Chief Product Officer at Paysafe

At Paysafe, a pioneer of E-Commerce since its ­inception in the late ’90s, we have seen virtually all ­flavors of risk and fraud, and have developed a unique expertise, that combines knowledge, processes and proprietary technology, as well as the integration of leading third-party security tools and industry best practices, as recommended by the card schemes.The conundrum of risk management boils down to two seemingly conflicting goals: (a) consumer ­convenience, and (b) protection against fraud. Convenience, as consumers and merchants desire a frictionless environment: single tap, single click, ­remember-me features, etc. On the other hand, ­security needs continue to grow, with two-factor ­authentication, biometrics, etc.

The thing is … fraud has as many facets as there are flavors in a good Italian gelato shop. So what to do to keep fraudsters at bay? The key to mitigating E-Commerce risk is relentless ­vigilance. Putting in place the tools that generate data, not a flood of useless reports that mostly go unread, but laser focused data (threat ­intelligence), which leads to analysis, and prompt action. There is no single ­answer or silver bullet to combat fraud, especially since fraud continually morphs and keeps taking new forms. Instead, a ­constantly evolving, multi-pronged approach has been ­proven to deliver excellent results, ­composed of the following elements:

• Staff training;

• Selecting the right processing partner;

• Refining your own offering (privacy, refund policy,  easy access to customer service);

• Internal fraud prevention (access control,  need to know basis);

• Use of fraud screening tools (device fingerprinting,  IP geolocation);

• Use of scheme tools (AVS, CVV2, 3DS);

• Strict adherence to PCI DSS;

• Use of self-learning (i.e. machine learning) fraud  management algorithms, which enable a reduction in false positives by detecting new fraud patterns;

• Outsorting for manual review of certain transactions; 

• Monitoring of chargebacks, but also total volume, refunds and declines, for any unexpected spikes or other inconsistencies;

• Being great about risk and fraud is not a nice to have. It’s not about becoming a bit more profitable. It’s a major competitive differentiator;

Fraudsters are always looking for the path of least ­resistance. If your webshop is easier to defraud, you’ll be certain to attract an ­inordinate amount of fraud. Conversely, if you are ­better than your competition, you’ll effectively be ­“sending the fraud away.”

So, in my opinion, the best approach is to take ­control and create a path that, without compromising con­venience and ease of use, protects your business and your consumers. As my very first boss taught me ­years ago, there are three secrets to success: ­preparation, ­preparation and preparation ... Risk management is no exception.


The many facets of fraud

Daniel Kornitzer has encountered fraud in hundreds of variations and forms during his long career in risk management and E-Commerce. Here is just a small sample of the most common:

the consumer, or a close family ­member, performs the ­transaction but then claims he/she did not.

fraudulent transact­ions for the sole ­purpose of generating ­affiliate commissions. The ­commissions are paid then the affiliate ­disappears ­before the transactions come back as chargebacks.

the fraudsters get goods ­shipped to a legitimate looking ­address, only to have the goods ­forwarded to the ultimate ­destination.

infected computers are used to initiate ­orders to take advantage of their ­“clean IP address.”

Emails that direct to a false webpage, ­aimed at collecting login credentials to defraud the unsuspect­ing consumer.

Involves spoofed emails that appear to come from people in ­position of authority within the company, like a CEO or CFO, ­asking for an immediate wire transfer.

The fraudster pretends to sell goods online, but for the only purpose of collect­ing credit card information and other personal details, which are then ­immediately used to perform fraudulent purchases at­ another site.

Where the trans­action ­provides ­ab­solutely no ­indication of anything improper, clearly the ­hardest to detect.